Help understand how FreeRADIUS works and works ...
Help me understand how FreeRADIUS works and works ...
Under the cut my observations and considerations.
Once upon a time I successfully configured freeradius + freenibs according to the manuals, without really delving into what it does and how it works.
Now there is an inverse problem :)
While analyzing the radius config, and delving into its structure, I realized the following:
(correct me in those places where I am mistaken)
So a number of questions arise:
I would be grateful for any comments and clarifications regarding how freeridius works.
Maybe based on the results of understanding all this in my head I will write an article.
Under the cut my observations and considerations.
Once upon a time I successfully configured freeradius + freenibs according to the manuals, without really delving into what it does and how it works.
Now there is an inverse problem :)
While analyzing the radius config, and delving into its structure, I realized the following:
(correct me in those places where I am mistaken)
1) the radius for almost every sneeze has a modulus that performs one or more of the following things at once: authentication, authorization, accounting, and a few more rare actions.
2) modules, although they have the same interface to the program, serve different purposes
3) the radius config consists of several parts, such as:
modules {} - setting the parameters of modules
authorize {}
authenticate {}
accounting {}
and several less important ones.
4) depending on which part (authorize, authenticate, accounting) is the name of the module, its corresponding function is called ... That is the module can act as an authenticator and an authorizer, and also deal with accounting.
So a number of questions arise:
1) how authorize and authenticate differ. what action do the modules described respectively in each of them.
2) there are pap, chap, mschap modules - I don’t understand where they get the authentication data from? and whether they do user authentication at all. or all the same authorization? I confuse these concepts.
3) in fact, where did the general need to deal with the radius come from: external authentication must be done through a third-party program. it is known that she needs to be provided with a login and user password, and it will work as a radius module at the output - it will return 0, 1, ... and a pair of attributes. For this, I found the exec module - but for some reason the simplest program in the body of which only int main (...) {exit (0);} does not authorize users.
I would be grateful for any comments and clarifications regarding how freeridius works.
Maybe based on the results of understanding all this in my head I will write an article.